Correlating event logs to identify a potential security breach

What is claimed is: 1. A computer-implemented method, comprising: identifying, in an event log database, a plurality of event logs associated with an identifier and having corresponding timestamps that are within a specified time interval; grouping, by auditing software executed by one or more processors of a central server, the plurality of event logs based at least in part on one or more criteria to create one or more groups of events, the criteria including a location associated with each event log of the plurality of event logs; determining, by the auditing software, a first session based on a group of events from the one or more groups of events, the group of events starting with a specified type of event that includes a logon event; and displaying the first session as a first timeline of events in a graphical interface, wherein the logon event is displayed on the graphical interface as a starting point on the first timeline. 2. The computer-implemented method of claim 1 , wherein the identifier comprises at least one of an internet protocol (IP) address associated with the first network element or a username included in user credentials used to logon to the first network element. 3. The computer-implemented method of claim 1 , further comprising: displaying, in the graphical interface, a second session associated with a second network element, wherein the first timeline of events is displayed in the graphical interface with a first magnitude on an axis and the second session is displayed as a second timeline of events in the graphical interface with a second magnitude on the axis. 4. The computer-implemented method of claim 3 , further comprising: displaying the first timeline and the second timeline hierarchically in the graphical interface based at least in part on: an individual set of user credentials associated with individual event logs; and an individual network element associated with the individual event logs. 5. The computer-implemented method of claim 1 , wherein the one or more criteria include a network element identifier. 6. The computer-implemented method of claim 1 , wherein: the first timeline of events is aligned to a common timeline in the graphical interface. 7. One or more non-transitory computer-readable media storing instructions that are executable by one or more processors to perform operations comprising: identifying, from an event log database including a plurality of stored event logs, one or more event logs associated with an identifier; grouping, by the one or more processors, the one or more event logs based on one or more criteria to create one or more groups of events, the one or more criteria including a location associated with each event log of the plurality of event logs; determining, by the one or more processors, a first session based on a group of events of the one or more groups of events, the first session including a specified type of event that includes a logon event, the first session is associated with a first network element; and displaying the first session as a first timeline of events in a graphical interface, wherein the logon event is displayed on the graphical interface as a starting point on the first timeline, the first session having a first magnitude on an axis. 8. The one or more non-transitory computer-readable media of claim 7 , wherein: the first network element comprises one of a user computing device, a server computing device, or a database hosting device. 9. The one or more non-transitory computer-readable media of claim 7 , wherein a size of an event displayed in the first session on the graphical interface is proportional to a severity of the event. 10. The one or more non-transitory computer-readable media of claim 7 , wherein a color of an event displayed in the first session on the graphical interface is indicative of a severity of the event. 11. The one or more non-transitory computer-readable media of claim 7 , further comprising: displaying a second session associated with a second network element as a second timeline of events on the graphical interface, the second session having a second magnitude that is different from the first magnitude. 12. The one or more non-transitory computer-readable media of claim 7 , further comprising: displaying a third session associated with the first network element as a third timeline of events on the graphical interface, the third session having the first magnitude on the axis. 13. A server, comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that are executable by the one or more processors to perform operations comprising: identifying, in an event log database, a plurality of event logs based at least in part on an identifier; creating, by the one or more processors, one or more groups of events by grouping the plurality of event logs based at least in part on a location associated with individual event logs of the plurality of event logs; determining, by the one or more processors, a plurality of sessions based at least in part on the groups of events, individual sessions of the plurality of sessions including a specified type of event that includes a logon event, the plurality of sessions including at least a first session and a second session; displaying the first session as a first timeline of events in a graphical interface, the first session having a first magnitude; and displaying the second session as a second timeline of events in the graphical interface, the second session having a second magnitude. 14. The server of claim 13 , wherein: the first session is associated with a first network element; the second session is associated with the first network element; and the second magnitude comprises the first magnitude. 15. The server of claim 13 , wherein: the first session is associated with a first network element; the second session is associated with a second network element; and the second magnitude is different than the first magnitude. 16. The server of claim 13 , the operations further comprising: displaying a third session associated with a second network element as a third timeline of events in the graphical interface, the third session having a third magnitude. 17. The server of claim 13 , wherein the plurality of event logs include at least one of: a logon event log, a logoff event log, a failed logon event log, a directory accessed event log, a file created event log, a directory accessed event log, a read data event log, or a copy data event log. 18. The server of claim 13 , wherein a first set of event logs in the first timeline of events is displayed in the graphical interface in an order according to a timestamp associated with each event log in the first set of event logs. 19. The server of claim 13 , wherein identifying the plurality of event logs based at least in part on the identifier comprises: identifying the plurality of event logs based at least in part on the identifier and based at least in part on a specified time interval.